On 08/30/2017 09:31 PM, Guy Harris wrote:
On Aug 30, 2017, at 6:00 PM, Ed Beroset <[email protected]> wrote:
One problem is that as dumpcap is currently written, it treats files and pipes
very differently.
*Files* and pipes, or *capture devices* and pipes?
Actually, I meant to say pipes and sockets.
but I can't help but think that the general approach you describe is the better
long term strategy.
Probably. It means that the interface between *shark and extcap programs would
be different - but, while having extcap programs behave like dumpcap might
complicate the extcap programs (although some of the code to do that could be
in a library used by dumpcap and by extcap programs), it might simplify the
Wireshark capture code path.
I'm not sure that the interface between dumpcap and Wireshark/tshark
would need to change to accommodate a wider variety of inputs via pipes.
What I meant was that much of the parsing and interpretation of the
file formats seems to be essentially the same whether the data arrives
as a file or as data in a pipe, so it seems, perhaps naively, that some
of the code could also be shared.
There are some limitations. Specifically, pipes don't allow random access, so
any file formats that currently require that would need to either be rewritten
Which, for at least one capture file format (Network Monitor format), would be
impossible, as we don't define it, Microsoft does (and they're probably not
very amenable to changing it, not least because they've deprecated NetMon in
favor of Message Analyzer). The only file formats *we* control to any degree
are pcap and pcapng, neither of which require random access in order to read
them sequentially.
Partly for that reason, I've been concentrating my efforts on only those
two formats for pipe input. My patch is still quite rough, but it's
working for my purposes.
Ed
___________________________________________________________________________
Sent via: Wireshark-dev mailing list <[email protected]>
Archives: https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
mailto:[email protected]?subject=unsubscribe
